Improving BOINC security: Account Keys!

What are account keys?

Account keys enable your BOINC client to continue crunching with your account regardless of email or password changes. You can also log into an individual BOINC project account given the user's account key.

Whilst account keys are handy for users with many computers (saves time logging into each machine) or handy for project admins (no computation downtime due to users changing passwords), they pose an extreme security risk within the BOINC community.

Why are account keys risky?

Changing your username, email and password has no effect on the account key. It can't easily be changed without the project admin manually changing it.

You can log into the BOINC project web server with an user's individual project account key.

Considering the account key never changes, once you have it you've established a permanent account compromise.

We're on a mission to secure the entire BOINC program. We started out requesting better user access and communication security with SSL last year. Now we're turning our attention to the handing of use data. We have much to do, but we will not stop our efforts. The entire BOINC community will benefit from this and will bring it into the future with great strength!